Fortinet black logo

External Systems Configuration Guide

Microsoft Active Directory

Microsoft Active Directory

What is Discovered and Monitored

Protocol

Information discovered

Metrics collected

Used for

LDAP User details, Password age Security Monitoring, User meta data for log
WMI

Win32_PerfRawData_NTDS_NTDS class: Directory Search Rate, Read Rate, Write Rate, Browse Rate, LDAP search rate, LDAP Bind Rate, New LDAP Connection Rate, Successful LDAP Bind Rate, LDAP Active Threads, LDAP Bind Time, LDAP Client Sessions Performance Monitoring
WMI "dcdiag -e" command output - detect successful and failed domain controller diagnostic tests Domain Controller Replication status
WMI "repadmin /replsummary" command output - detect replication statistics Domain Controller Replication status

Event Types

  • PH_DISCOV_ADS_ACCOUNT_TO_EXPIRE (Active Directory account to expire in 2 weeks)
  • PH_DISCOV_ADS_ACCT_DISABLED (Accounts Disabled)
  • PH_DISCOV_ADS_DORMANT_ACCT (Dormant User Accounts - not log on in last 30 days)
  • PH_DISCOV_ADS_PASSWORD_NEVER_EXPIRES (Active Directory user password never expires)
  • PH_DISCOV_ADS_PASSWORD_NOT_REQD (Active Directory user password not required)
  • PH_DISCOV_ADS_PASSWORD_STALE (Active Directory user password stale - more than 90 days)
  • PH_DISCOV_ADS_PASSWORD_TO_EXPIRE (Active Directory user password to expire in 2 weeks)
  • PH_DEV_MON_DCDIAG (output of "dcdiag -e" command)
    [PH_DEV_MON_DCDIAG]:[hostIpAddr]=10.1.20.59,[hostName]=WIN-IGO8O8M5JVT,[errReason]="",[testResult]="passed",[testSubject]="WIN-IGO8O8M5JVT",[testName]="NCSecDesc"
  • PH_DEV_MON_SRC_AD_REPL_STAT (output of "repadmin /replsummary" command)
    [PH_DEV_MON_SRC_AD_REPL_STAT]:[hostIpAddr]=10.1.20.59,[hostName]=WIN-IGO8O8M5JVT, [largestReplDelta]=">60 days",[failureCount]=0.00,[count]=5.00,[failurePct]=0.00,[srcName]="WIN-IGO8O8M5JVT",[errReason]="" 
  • PH_DEV_MON_DST_AD_REPL_STAT (output of "repadmin /replsummary" command)
     [PH_DEV_MON_DST_AD_REPL_STAT]:[hostIpAddr]=10.1.20.59,[hostName]=WIN-IGO8O8M5JVT, [largestReplDelta]=">60 days",[failureCount]=0.00,[count]=5.00,[failurePct]=0.00,[destName]="WIN-IGO8O8M5JVT",[errReason]=""

Rules

  • Failed Windows DC Diagnostic Test

Reports

  • Successful Windows Domain Controller Diagnostic Tests
  • Failed Windows Domain Controller Diagnostic Tests
  • Source Domain Controller Replication Status
  • Destination Domain Controller Replication Status

Configuration

WMI

See WMI Configurations in the Microsoft Windows Server Configuration section.

Active Directory User Discovery

If you want to add Active Directory users to FortiSIEM, follow these steps in the FortiSIEM UI.

  1. Add the login credentials for Active Directory server and associate them to an IP range.
  2. Discover the Active Directory server.

If the Active Directory server is discovered successfully, then all of the users and their properties will be added to FortiSIEM.

After the users have been added to FortiSIEM, you can re-run discovery to get new changes from Active Directory. You cannot make changes in FortiSIEM as this will inevitably make FortiSIEM out of synch with Active Directory.

Since Active Directory can contain many users, it is possible to choose a sub-tree by specifying a base DN (see below).

Adding Active Directory Login Credentials to FortiSIEM
  1. Log in to your Supervisor UI.
  2. Go to ADMIN > Setup > Credentials.
  3. Click New to create an LDAP discovery credential by entering the following in the Access Method Definition dialog box:
    1. Name: a name for the credential.
    2. Device Type: select Microsoft Windows.
    3. Access Protocol:
      1. By default, LDAP servers listen on TCP port 3268.
      2. LDAPS (LDAP with SSL) defaults to port 3269.
      3. LDAP Start TLS defaults to port 3268.
        Note: Global catalog ports LDAP - TCP/3268 and LDAPS - TCP/3269 when used are much more performant versus the LDAP port TCP/389 and LDAPS port TCP/636, but not all LDAP attributes may be present by default in Global Catalog service.

        For single AD servers, or if you do not need to integrate with Microsoft Active Directory cross-domain queries via Global Catalog, you can use the following ports:
        • LDAP servers listen on TCP port 389.
        • LDAPS (LDAP with SSL) defaults to port 636.
        • LDAP Start TLS defaults to port 389.
    4. Used For: select Microsoft Active Directory.
    5. Enter the root of the LDAP user tree that you want to discover. For example, dc=companyABC,dc=com or ou=Org1,dc=companyABC,dc=com
    6. NetBIOS/Domain: enter the NetBIOS/Domain value.
    7. User Name: enter the user name for your LDAP directory.

      The user should be a member of the Domain Users group in Active Directory. See the Validating LDAP Credentials and Permissions for information on how to validate this membership.

    8. Enter and confirm the Password for your User.
    9. Click Save. Your LDAP credentials will be added to the list of credentials.
  4. Under Enter IP Range to Credential Associations, click Add.
  5. Select your LDAP credentials from the list of Credentials. Click + to add more.
  6. Enter the IP/IP Range or host name for your Active Directory server.
  7. Click Save. Your LDAP credentials will appear in the list of credential/IP address associations.
  8. Click Test > Test Connectivity to make sure you can connect to the Active Directory server.
Discovering Users in FortiSIEM
  1. Go to ADMIN > Setup > Discovery and click New.
  2. For Name, enter Active Directory.
  3. For Include, enter the IP address or host name for your Active Directory server.
  4. Click Save. Active Directory will be added to the list of discoverable devices.
  5. Select the Active Directory device and click Discover.
  6. After discovery completes, go to CMDB > Users to view the discovered users. You may need to click the Refresh icon to load the user tree hierarchy.

To get user updates in Active Directory, simply re-run discovery.

Validating LDAP Credentials and Permissions

  1. Log in to your Active Directory server.
  2. Open the Active Directory console from the command prompt and execute the dsa.msc command.
  3. From the Active Directory console, select the User that added in FortiSIEM Supervisor.

  4. Right click the selected User and check Properties.
  5. The User should be a member of Domain Users.
  6. On FortiSIEM Base DN should match, example: DC=accelops,DC=net.

Mapping Active Directory User Attributes to FortiSIEM User Attributes

The following table shows how user attributes in Microsoft Active Directory are shown in the FortiSIEM UI. To find Active Directory user attributes, take the following steps:

  1. Log in to Active Directory.
  2. Go to Active Directory Users and Computers.
  3. Click View > Enable Advanced Features.
  4. Find a user, and take the following steps:
    1. Double click user.
    2. Click Attribute Editor.
      You will see a set of attributes and the values they are set to.

In FortiSIEM, user details can be found in CMDB > Users. First, click the tree node on the left that you have discovered, then locate the user in the right pane. Attributes are displayed on the main page and under Summary, Contact, and Member Of.

Microsoft Active Directory User Attribute FortiSIEM User Attribute
sAMAccoutName User Name
name Full Name
userPrincipalName <Not shown>
mail Email

telephoneNumber

Work Phone

mobile

Mobile Phone

title

Job Title

company

Company

department

<Not shown>

employeeID

Employee ID

manager

Manager

I

<Not shown>

postalCode

ZIP

streetAddress

Address

homePostalAddress

<Not shown>

c

City

st

State

co

Country

memberOf

Member Of

Microsoft Active Directory

Microsoft Active Directory

What is Discovered and Monitored

Protocol

Information discovered

Metrics collected

Used for

LDAP User details, Password age Security Monitoring, User meta data for log
WMI

Win32_PerfRawData_NTDS_NTDS class: Directory Search Rate, Read Rate, Write Rate, Browse Rate, LDAP search rate, LDAP Bind Rate, New LDAP Connection Rate, Successful LDAP Bind Rate, LDAP Active Threads, LDAP Bind Time, LDAP Client Sessions Performance Monitoring
WMI "dcdiag -e" command output - detect successful and failed domain controller diagnostic tests Domain Controller Replication status
WMI "repadmin /replsummary" command output - detect replication statistics Domain Controller Replication status

Event Types

  • PH_DISCOV_ADS_ACCOUNT_TO_EXPIRE (Active Directory account to expire in 2 weeks)
  • PH_DISCOV_ADS_ACCT_DISABLED (Accounts Disabled)
  • PH_DISCOV_ADS_DORMANT_ACCT (Dormant User Accounts - not log on in last 30 days)
  • PH_DISCOV_ADS_PASSWORD_NEVER_EXPIRES (Active Directory user password never expires)
  • PH_DISCOV_ADS_PASSWORD_NOT_REQD (Active Directory user password not required)
  • PH_DISCOV_ADS_PASSWORD_STALE (Active Directory user password stale - more than 90 days)
  • PH_DISCOV_ADS_PASSWORD_TO_EXPIRE (Active Directory user password to expire in 2 weeks)
  • PH_DEV_MON_DCDIAG (output of "dcdiag -e" command)
    [PH_DEV_MON_DCDIAG]:[hostIpAddr]=10.1.20.59,[hostName]=WIN-IGO8O8M5JVT,[errReason]="",[testResult]="passed",[testSubject]="WIN-IGO8O8M5JVT",[testName]="NCSecDesc"
  • PH_DEV_MON_SRC_AD_REPL_STAT (output of "repadmin /replsummary" command)
    [PH_DEV_MON_SRC_AD_REPL_STAT]:[hostIpAddr]=10.1.20.59,[hostName]=WIN-IGO8O8M5JVT, [largestReplDelta]=">60 days",[failureCount]=0.00,[count]=5.00,[failurePct]=0.00,[srcName]="WIN-IGO8O8M5JVT",[errReason]="" 
  • PH_DEV_MON_DST_AD_REPL_STAT (output of "repadmin /replsummary" command)
     [PH_DEV_MON_DST_AD_REPL_STAT]:[hostIpAddr]=10.1.20.59,[hostName]=WIN-IGO8O8M5JVT, [largestReplDelta]=">60 days",[failureCount]=0.00,[count]=5.00,[failurePct]=0.00,[destName]="WIN-IGO8O8M5JVT",[errReason]=""

Rules

  • Failed Windows DC Diagnostic Test

Reports

  • Successful Windows Domain Controller Diagnostic Tests
  • Failed Windows Domain Controller Diagnostic Tests
  • Source Domain Controller Replication Status
  • Destination Domain Controller Replication Status

Configuration

WMI

See WMI Configurations in the Microsoft Windows Server Configuration section.

Active Directory User Discovery

If you want to add Active Directory users to FortiSIEM, follow these steps in the FortiSIEM UI.

  1. Add the login credentials for Active Directory server and associate them to an IP range.
  2. Discover the Active Directory server.

If the Active Directory server is discovered successfully, then all of the users and their properties will be added to FortiSIEM.

After the users have been added to FortiSIEM, you can re-run discovery to get new changes from Active Directory. You cannot make changes in FortiSIEM as this will inevitably make FortiSIEM out of synch with Active Directory.

Since Active Directory can contain many users, it is possible to choose a sub-tree by specifying a base DN (see below).

Adding Active Directory Login Credentials to FortiSIEM
  1. Log in to your Supervisor UI.
  2. Go to ADMIN > Setup > Credentials.
  3. Click New to create an LDAP discovery credential by entering the following in the Access Method Definition dialog box:
    1. Name: a name for the credential.
    2. Device Type: select Microsoft Windows.
    3. Access Protocol:
      1. By default, LDAP servers listen on TCP port 3268.
      2. LDAPS (LDAP with SSL) defaults to port 3269.
      3. LDAP Start TLS defaults to port 3268.
        Note: Global catalog ports LDAP - TCP/3268 and LDAPS - TCP/3269 when used are much more performant versus the LDAP port TCP/389 and LDAPS port TCP/636, but not all LDAP attributes may be present by default in Global Catalog service.

        For single AD servers, or if you do not need to integrate with Microsoft Active Directory cross-domain queries via Global Catalog, you can use the following ports:
        • LDAP servers listen on TCP port 389.
        • LDAPS (LDAP with SSL) defaults to port 636.
        • LDAP Start TLS defaults to port 389.
    4. Used For: select Microsoft Active Directory.
    5. Enter the root of the LDAP user tree that you want to discover. For example, dc=companyABC,dc=com or ou=Org1,dc=companyABC,dc=com
    6. NetBIOS/Domain: enter the NetBIOS/Domain value.
    7. User Name: enter the user name for your LDAP directory.

      The user should be a member of the Domain Users group in Active Directory. See the Validating LDAP Credentials and Permissions for information on how to validate this membership.

    8. Enter and confirm the Password for your User.
    9. Click Save. Your LDAP credentials will be added to the list of credentials.
  4. Under Enter IP Range to Credential Associations, click Add.
  5. Select your LDAP credentials from the list of Credentials. Click + to add more.
  6. Enter the IP/IP Range or host name for your Active Directory server.
  7. Click Save. Your LDAP credentials will appear in the list of credential/IP address associations.
  8. Click Test > Test Connectivity to make sure you can connect to the Active Directory server.
Discovering Users in FortiSIEM
  1. Go to ADMIN > Setup > Discovery and click New.
  2. For Name, enter Active Directory.
  3. For Include, enter the IP address or host name for your Active Directory server.
  4. Click Save. Active Directory will be added to the list of discoverable devices.
  5. Select the Active Directory device and click Discover.
  6. After discovery completes, go to CMDB > Users to view the discovered users. You may need to click the Refresh icon to load the user tree hierarchy.

To get user updates in Active Directory, simply re-run discovery.

Validating LDAP Credentials and Permissions

  1. Log in to your Active Directory server.
  2. Open the Active Directory console from the command prompt and execute the dsa.msc command.
  3. From the Active Directory console, select the User that added in FortiSIEM Supervisor.

  4. Right click the selected User and check Properties.
  5. The User should be a member of Domain Users.
  6. On FortiSIEM Base DN should match, example: DC=accelops,DC=net.

Mapping Active Directory User Attributes to FortiSIEM User Attributes

The following table shows how user attributes in Microsoft Active Directory are shown in the FortiSIEM UI. To find Active Directory user attributes, take the following steps:

  1. Log in to Active Directory.
  2. Go to Active Directory Users and Computers.
  3. Click View > Enable Advanced Features.
  4. Find a user, and take the following steps:
    1. Double click user.
    2. Click Attribute Editor.
      You will see a set of attributes and the values they are set to.

In FortiSIEM, user details can be found in CMDB > Users. First, click the tree node on the left that you have discovered, then locate the user in the right pane. Attributes are displayed on the main page and under Summary, Contact, and Member Of.

Microsoft Active Directory User Attribute FortiSIEM User Attribute
sAMAccoutName User Name
name Full Name
userPrincipalName <Not shown>
mail Email

telephoneNumber

Work Phone

mobile

Mobile Phone

title

Job Title

company

Company

department

<Not shown>

employeeID

Employee ID

manager

Manager

I

<Not shown>

postalCode

ZIP

streetAddress

Address

homePostalAddress

<Not shown>

c

City

st

State

co

Country

memberOf

Member Of